One card issuer says the possible compromise of credit and debit card data could be the result of a point-of-sale device or software vulnerability, which, if confirmed, likely impacted more than just Goodwill.

Goodwill is a not-for-profit charitable organization that sells donated merchandise to fund job programs. It generated $1.79 billion retail sales in 2013 and operates more than 2,900 stores along with an online auction site. The membership organization has 165 independent headquarters throughout the U.S. and Canada and an international presence in 14 other countries.

On July 18, Goodwill was contacted by federal authorities and an unnamed "payment card industry fraud investigative unit" about a possible card compromise, according to a statement provided to Information Security Media Group. On July 22, the charity posted an updated statement to its website, saying it had initiated an investigation into the possible breach with federal authorities.

So far, no breach of payments data has been confirmed.

"We are proactively engaged with the payment card industry contacts, the Secret Service and all Goodwill headquarters to identify what problem, if any, exists so that we can take prompt and appropriate actions as well as communicate appropriately to any affected parties," says Goodwill spokeswoman Laruen Lawson-Zilai.

Reviewing Fraud Activity

An executive with a Midwestern bank who's reviewing fraudulent activity that might be connected to Goodwill purchases tells Information Security Media Group the suspected breach could date back to January.

But determining the exact point of compromise origin has proved challenging, says this executive, who asked to remain anonymous. That's because some issuers now believe numerous merchants, including Goodwill, may have been impacted by a malware attack that remotely compromised point-of-sale terminals via a software vulnerability.

Remote-access vulnerabilities have been linked to a number of recently suspected card data compromises, including one involving the breach of a LogMeIn account used by Vancouver, Wash.-based Information Systems & Supplies Inc. last month. IS&S is an independent POS systems and security provider that caters to the food-service industry (see POS Vendor: Possible Restaurant Breach).

On June 12, IS&S alerted some of its restaurant customers about a remote-access compromise that may have exposed card data linked to POS transactions conducted between Feb. 28 and April 18 of this year. LogMeIn is a remote access and systems management provider that facilitates, among other things, file sharing and data backup.

Security risks associated with remote access have been blamed for breaches at other restaurants chains and retailers. For example in 2011, investigators uncovered a remote software weakness that hackers exploited for nearly three years, allowing them to access the POS networks of more than 150 Subway restaurant franchises and other merchants. And in the spring of 2013, federal investigators traced POS malware that targeted a select group of Kentucky and Southern Indiana merchants back to a remote software vulnerability (see Retailers Attacked by POS Malware).

Marjorie Meadors, assistant vice president and head of card-fraud prevention for Louisville-based Republic Bank & Trust, one of the issuing banks impacted by the 2013 attack, contends that POS vendors and remote-access software are among the payments industry's weakest security links. "The software companies cause the problem but get off totally free," she says.

No Centralized Network

Goodwill did not respond to ISMG's request for information about the type of POS terminals and software used in its U.S. locations. But spokeswoman Lawson-Zilai says the organization does not have a centralized point-of-sale network. Whether the possible breach impacted sales made through the organization's online auction site also has not been noted by Goodwill.

"Goodwill Industries International is composed of 165 autonomous, independent agencies with headquarters throughout the United States and Canada, and an international presence in 14 other countries," Lawson-Zilai says. "Each of these headquarters is governed by a local president and CEO. In addition, each Goodwill headquarters operates the stores and donation centers within its territory. There is not one central point-of-sale network."

About the Author

A veteran journalist with more than 20 years' experience, Kitten has covered the financial sector for the last 13 years. Before joining Information Security Media Group in 2010, where she now serves as director of global events content and executive editor of BankInfoSecurity and CUInfoSecurity, she covered the financial self-service industry as the senior editor of ATMmarketplace, part of Networld Media. Kitten has been a regular speaker at domestic and international conferences, and was the keynote at ATMIA's U.S. and Canadian conferences in 2009. She has been quoted by CNN.com, ABC News, Bankrate.com and MSN Money.

Operation Success!

Risk Management Framework: Learn from NIST

From heightened risks to increased regulations, senior leaders at all levels are pressured to
improve their organizations' risk management capabilities. But no one is showing them how -
until now.

Learn the fundamentals of developing a risk management program from the man who wrote the book
on the topic: Ron Ross, computer scientist for the National Institute of Standards and
Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37
- the bible of risk assessment and management - will share his unique insights on how to:

Understand the current cyber threats to all public and private sector organizations;

Develop a multi-tiered risk management approach built upon governance, processes and
information systems;